Top security incidents of 2011

Although vendor-written, this contributed piece does not advocate a position that is particular to the author's employer and has been edited and approved by Network World editors.

Everyone will agree that 2011 was a busy year in the field of data security, so as the year draws to a close it seems appropriate to begin the process of distilling our experiences into "lessons learned" that we can take into 2012.

Of course, there isn't room here to conduct a thorough examination of every significant event. Listing only the largest and most publicized events runs the risk of burying some of the more interesting items. So events are selected according to a combination of magnitude and ability to inform our thinking going forward.

In March we learned that the Comodo Certificate Authority had been compromised via one of its small regional resellers and tricked into issuing fraudulent certificates for a variety of high-profile websites such as Google. An independent Iranian hacker claimed responsibility.

In August, an alert user detected that fraudulent certificates were being used in a massive man-in-the-middle attack conducted against Gmail users in Iran. He found that Google's Chrome browser was giving warnings about the certificate appearing on Google's own websites. Word spread quickly that the Dutch CA DigiNotar had, in fact, been compromised for quite some time. In September DigiNotar earned the dubious distinction of being the first CA ever to be removed from browsers' list of trusted roots for weak security.

What we learned:

* The security of every browser user in the world really does depend on every little CA reseller and sub-CA that we've never heard of before.

* Current certificate revocation systems are simply not effective.

* CA "pinning" can provide improved security, but currently only browser vendors have access to it.

* One person can make a difference.

Sony

After retroactively banning Linux from their customers' previously purchased PlayStation 3 systems and filing a lawsuit against researchers GeoHot and fail0verflow whose work was poised to re-enable it, all of Sony's online systems (and then some) seemed to come under attack.

It started with DDoS attacks attributed to the Anonymous collective and went downhill from there. Other hackers found they could use a custom root CA to modify the messages exchanged between the PS3 and the PlayStation Network, reportedly enabling them to connect to internal developer systems.

* The cost of an attack may be far in excess of the business value of the data itself. This overturns the conventional risk management guideline to not invest more to secure an asset than the asset itself is "worth."

There was an old saying that English has no direct counterpart to the German word Schadenfreude, meaning "enjoyment which comes from the misfortune of others." So perhaps it was inevitable that we would need such a word handy in describing the events of 2011.

Fortunately, the same odd corners of the Internet that seemingly inspire this class of attacker have given us just such a word: lulz.

In mid-2011 a new hacking group named LulzSec appears on the scene, seeming to spring fully formed from the head(s) of Anonymous. Except that their activity is qualitatively different.

Eschewing the blunt instrument DDoS tool of its progenitor (the Low-Orbit Ion Cannon), this group's preferred modus operandi was to penetrate systems and leak the largest amount of the most damaging information possible.

To be sure Anonymous used this tactic, too, but LulzSec seemed to represent a refinement of it. They also skip the meta-political goals of Anonymous and instead project an image of a group seeking to shock us out of complacency and enjoying every minute of it.

What we learned:

* Attackers may not have the motivations that your security controls were designed to defend against (e.g. financial gain). They may be "in it for the lulz," or something else entirely.

RSA

RSA is well known for two things: the amazingly useful public key encryption algorithm (which gave the company its name), and the RSA SecurID brand of hardware tokens for user authentication (which do not actually use the RSA algorithm). Today RSA is a subsidiary of EMC Corporation.

In March, the company disclosed that it had been the target of a successful cyberattack in which the attackers obtained some type of information which allowed them to reduce the protection provided by the tokens. Within a few weeks it was reported that this information had been used in intrusion attempts at U.S. defense contractors, but there is little to suggest that the abuse is more widespread.

Many customers were disappointed in RSA's reticence to share information about the attack, which would enable customers to make informed estimates of their own risk. Some were surprised that RSA would retain SecurID "key seed" data at all. (Ironically, the RSA algorithm is often used specifically to avoid sharing such secret keys unnecessarily.)

What we learned:

* We are dependent on our vendors.

* Even the most well-regarded technology companies can be "pwned" by an Adobe Flash zero-day.

* Continuous monitoring is essential.

* An attacker may seek to use you as merely a stepping stone in a larger plan.

Of course there were plenty of other noteworthy incidents from 2011 that there simply isn't space here to discuss: the (former) Tunisian government's man-in-the-middle attack on Facebook's login authentication, the breach of Syria's BlueCoat logs, kernel.org, and so on.

Perhaps 2012 will bring us less interesting times!

Ray is a senior software development engineer at PhoneFactor, where he is a core developer of the PhoneFactor authentication system. In 2009, he discovered the TLS renegotiation flaw, co-wrote the disclosure paper, and was an author of RFC 5746, TLS Renegotiation Extension, in 2010. Also in 2010, he disclosed the NTLM authentication forwarding flaw. He is a regular participant in the IETF TLS working group, and participates in other IETF and non-IETF security and cryptography groups.

PhoneFactor is a leading provider of multi-factor authentication services. Its award-winning platform leverages a device every user has -- a phone -- to strongly authenticate logins and transactions. PhoneFactor offers out-of-band security, a better user experience, and a lower total cost of ownership via a simple, automated phone call, text message, or smart phone app.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.